Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
NVD Vulnerability Details :
CVE-2024-37306
Analyzed
More InfoOfficial Page
Source-security-advisories@github.com
View Known Exploited Vulnerability (KEV) details
Published At-13 Jun, 2024 | 15:15
Updated At-21 Jan, 2025 | 14:37

Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. Starting in version 2.2.0 and prior to version 2.14.3, if an attacker can trick a logged-in CVAT user into visiting a malicious URL, they can initiate a dataset export or a backup from a project, task or job that the victim user has permission to export into a cloud storage that the victim user has access to. The name of the resulting file can be chosen by the attacker. This implies that the attacker can overwrite arbitrary files in any cloud storage that the victim can access and, if the attacker has read access to the cloud storage used in the attack, they can obtain media files, annotations, settings and other information from any projects, tasks or jobs that the victim has permission to export. Version 2.14.3 contains a fix for the issue. No known workarounds are available.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.17.1HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Primary3.17.1HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 7.1
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Type: Primary
Version: 3.1
Base score: 7.1
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
CPE Matches
cvat
cvat
>>computer_vision_annotation_tool>>Versions from 2.2.0(inclusive) to 2.14.3(exclusive)
cpe:2.3:a:cvat:computer_vision_annotation_tool:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-352Secondarysecurity-advisories@github.com
CWE-352Primarynvd@nist.gov
CWE ID: CWE-352
Type: Secondary
Source: security-advisories@github.com
CWE ID: CWE-352
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/cvat-ai/cvat/commit/5d36d10e493d92e893d7eae595544bcbe9cce1cesecurity-advisories@github.com
Patch
https://github.com/cvat-ai/cvat/security/advisories/GHSA-jpf9-646h-4px7security-advisories@github.com
Patch
Vendor Advisory
https://github.com/cvat-ai/cvat/commit/5d36d10e493d92e893d7eae595544bcbe9cce1ceaf854a3a-2127-422b-91ae-364da2661108
Patch
https://github.com/cvat-ai/cvat/security/advisories/GHSA-jpf9-646h-4px7af854a3a-2127-422b-91ae-364da2661108
Patch
Vendor Advisory
Hyperlink: https://github.com/cvat-ai/cvat/commit/5d36d10e493d92e893d7eae595544bcbe9cce1ce
Source: security-advisories@github.com
Resource:
Patch
Hyperlink: https://github.com/cvat-ai/cvat/security/advisories/GHSA-jpf9-646h-4px7
Source: security-advisories@github.com
Resource:
Patch
Vendor Advisory
Hyperlink: https://github.com/cvat-ai/cvat/commit/5d36d10e493d92e893d7eae595544bcbe9cce1ce
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Patch
Hyperlink: https://github.com/cvat-ai/cvat/security/advisories/GHSA-jpf9-646h-4px7
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Patch
Vendor Advisory
Change History
0Changes found
Details not found